network monitoring as a layer of security cs 691 advanced system security design

21
Network Monitoring as a Layer of Security CS 691 Advanced System Security Design University of Colorado – Colorado Springs July 28 th 2009 Jeff Miller 1 UCCS - CS691 7/27/2009

Upload: lot

Post on 13-Feb-2016

35 views

Category:

Documents


0 download

DESCRIPTION

Network Monitoring as a Layer of Security CS 691 Advanced System Security Design University of Colorado – Colorado Springs July 28 th 2009 Jeff Miller. Introduction. Overview - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 1

Network Monitoringas a Layer of Security

CS 691 Advanced System Security DesignUniversity of Colorado – Colorado Springs

July 28th 2009Jeff Miller

7/27/2009

Page 2: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 2

IntroductionOverview

“Your doctor is watching for danger signs as blood flows through vessels, valves and chambers of the heart, while your network monitoring systems are tracking data moving along cables and through servers, switches, connections and routers.”

– CIO magazineBasic Definition

A vital activity where one or more computers monitor network traffic, infrastructure devices, and other computer systems. The system notifies administrators with alerts (email, pager, cell phone, etc.) when a problem exists.

7/27/2009

Page 3: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 3

Introduction ContinuedWhat it is

A system that collects data and alerts the admin when other systems or services are unavailable, or when a predefined threshold is reached (system resources, bandwidth usage, etc.)

What it isn’tNetwork Monitoring is not an Intrusion Prevention

System (IPS) or Intrusion Detection System (IDS)Critical Availability

Always On – dedicated power, ePower (generator) ideal at a minimum battery backup system

7/27/2009

Page 4: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 4

Practical ApplicationSmart Grid Internet Service Providers (ISPs)Large CorporationsHospitalsMilitary NetworksEveryone!?! Why not?

7/27/2009

Page 5: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 5

Monitoring Techniques Passive

SNMP – Protocol for communicating – most basic and most popular Device based Limited information gathered Management Information Base (MIB) Monitor and Agents(s)

RMON – requires more expensive hardware (more cpu cycles, memory, etc.) Flow based Specific SNMP MIB Console and Probe(s)

Netflow – developed by CISCO – Juniper Network has JFlow Collector and probe(s)

Traffic Sniffers Active

Generate and injection of test packets into the network. Test data send to devices, servers, and or applications. Volume of traffic is fully adjustable.

Good way to test Service Level Agreements (SLAs)

7/27/2009

Page 6: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 6

SNMPManagement Information

Base (MIB)Hierarchical collection of

information that is accessed using SNMP

Comprised of managed objects

Follow Internet Engineering Taskforce (IEFT) and IEEE standards

7/27/2009

Page 7: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 7

MIB TreeExample: Oracle Database MIB

7/27/2009

Page 8: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 8

MIB Tree Example: 3Com NetworkDevice MIB

7/27/2009

Page 9: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 9

Monitoring via SNMP

7/27/2009

Page 10: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 10

BenefitsNo IDS, IPS, or Firewall guaranteed to prevent or detect all attacksThe more information we have about our network the easier we can

identify potential problems and get alerts when something bad happens

General Benefits Spot overloaded equipment before it can bring down a network Help determine employee productivity Identify weak wide-area-network links and other bottlenecks Measure latency or the delayed transfer of data Provides executives the ammo they need to justify network upgrades Prove SLA are being met

Security Considerations Detect anomalous internal traffic that might indicate a security threat

such as a DDOS attack Detect overloaded systems, crashed servers, lost network connections,

virus or malware infections, and power outages7/27/2009

Page 11: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 11

Network Monitoring SolutionsCommercial – hardware appliances, software solutions and

even outsourced service solutions (range from thousands to hundreds of thousands of dollars).HP OpenView – $$$CISCOWorks - $$$SolarWinds Orion - $$OpManager - $WhatsUpGold - $PRTG - $

Open Source - innovative, inexpensive, and numerous – everyone likes free! – (limited support – more difficult to setup)Nagios – (free with optional support license)MRTG

7/27/2009

Page 12: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 12

Test BedNagios 3.1.2

Open Source / GPL / FreeNetwork services like smtp, http, dns, and ftp can

be easily monitored without the use of client add-ons

3 Part SetupCorePlugins

NSClient++Add-ons

Perl scripts, MIB info, etc.

7/27/2009

Page 13: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 13

NSClient++NSClient++

Easily monitor hosts, devices, services, protocols, and applications with Nagios

7/27/2009

Page 14: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 14

Test BedNetwork Management System

Ubuntu Desktop 9.04Apache 2PHP 5GCC Compiler and development librariesGD graphics libraryNagios 3.1.2 source code - sourceforge

Sample Clients Linux Server, 2 XP Laptops, 1 Networked

Printer, 1 Linux Router/Switch

7/27/2009

Page 15: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 15

Test Bed Continued…

7/27/2009

Page 16: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 167/27/2009

Page 17: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 177/27/2009

Page 18: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 187/27/2009

Page 19: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 19

Linksys WRT54GS – DD-WRTCPU check

define command{ command_name check_linksys_cpu command_line $USER1$/check_snmp -H

$HOSTADDRESS$ -C public -o 1.3.6.1.4.1.2021.10.1.5.1 -u % - w 60 -c 70 }

RAM check define command{

command_name check_linksys_ram command_line $USER1$/check_snmp -H $HOSTADDRESS$ -C public -o 1.3.6.1.2.1.25.2.3.1.6.101 -u kb -w 27000 -c 28000 }

7/27/2009

Page 20: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 20

ConclusionNagios as a monitoring solution

Large company with a big budget - commercial product would be easy to configure and support

Small to medium size company with a limited budget and enjoy the flexibility to completely customize your solution consider Nagios or another OpenSource/GPL product Requires Linux knowledge Requires more in-depth configuration and possibly custom

coding to support specific devicesIn general I would recommend a monitoring solution

as an extra layer of security for any networkROI analysis – costs will drive the solution

7/27/2009

Page 21: Network Monitoring as a Layer of Security CS 691 Advanced System Security Design

UCCS - CS691 21

References [1] CIO Magazine (5 Jun 2009) Network Monitoring Definition and Solutions. Retrieved Jul 13,

2009 from http://www.cio.com/article/133700/Network_Monitoring_Definition_and_Solutions [2] Ipswitch (14 Nov 2007) White Paper: THE VALUE OF NETWORK MONITORING: Why It’s

Essential to Know Your Network. Retrieved Jul 29, 2009 from http://www.whatsupgold.com/resources/whitepapers/Value_of_Network_Monitoring.pdf

[3] Landis +Gyr (2009) White Paper: Securing the Smart Grid: Gridstream Security Architecture. Retrieved June 6, 2009 from http://www.landisgyr.com/en/pub/home.cfm

[4] EMS Satcom (2008) Blue Force Tracking: System Nuances and EMS SATCOM’s Contributions. Retrieve Jul 20, 2009 from http://www.emssatcom.com/newsletters/2008/Nov/bus2.aspx

[5] Stanford SLAC (11 Mar 2001) Passive vs. Active Monitoring. Retrieved Jul 13, 2009 from http://www.slac.stanford.edu/comp/net/wan-mon/passive-vs-active.html

[6] TCPIP Guide (?) SNMP MIB Graphic. Retrieved Jul 29, 2009 from www.tcpipguide.com [7] HP Website [8] Wikipedia (27 Jul 2009) Comparison of network monitoring systems. Retrieved Jul 29, 2009

from http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems [9] Nagios (2009) Nagios. Retrieved July, 13 2009 from http://www.nagios.org/ [10] NSClient++ () Installing NSClient++. Retrieved July 23, 2009 from http://nsclient.org/nscp/ [11] Nagios () Nagios Quickstart Installation Guides. Retrieve July 23, 2009 from

http://nagios.sourceforge.net/docs/3_0/quickstart.html

7/27/2009